Re: [PATCH] RFC: Support an EFI-loader bootflow

[AKASHI Takahiro <takahiro.akashi@linaro.org>]

Simon,

On Thu, Sep 02, 2021 at 10:40:57AM -0600, Simon Glass wrote:
> Hi Takahiro,
> 
> On Tue, 31 Aug 2021 at 00:14, AKASHI Takahiro
> <takahiro.akashi@linaro.org> wrote:
> >
> > Simon,
> >
> > On Sat, Aug 28, 2021 at 02:35:21PM -0600, Simon Glass wrote:
> > > This is just a demonstration of how to support EFI loader using bootflow.
> > > Various things need cleaning up, not least that the naming needs to be
> > > finalised. I will deal with that in the v2 series.
> > >
> > > In order to support multiple methods of booting from the same device, we
> > > should probably separate out the different implementations (syslinux,
> > > EFI loader
> >
> > I still believe that we'd better add "removable media" support
> > to UEFI boot manager first (and then probably call this functionality
    ^^^^^^^^^^^^^^^^^^^^^^^^^^

> > from bootflow?).
> >
> > I admit that, in this case, we will have an issue that we will not
> > recognize any device which is plugged in dynamically after UEFI
> > subsystem is initialized. But this issue will potentially exist
> > even with your approach.
> 
> That can be fixed by dropping the UEFI tables and using driver model
> instead. I may have mentioned that :-)

I'm afraid that you don't get my point above.

> >
> > > and soon bootmgr,
> >
> > What will you expect in UEFI boot manager case?
> > Boot parameters (options) as well as the boot order are well defined
> > by BootXXXX and BootOrder variables. How are they fit into your scheme?
> 
> I haven't looked at boot manager yet, but I can't imagine it
> presenting an insurmountable challenge.

I don't say it's challenging.
Since you have not yet explained your idea about how to specify
the *boot order* in your scheme, I wonder how "BootXXXX"/"BootOrder"
be treated and honored.
There might be a parallel world again.

> >
> > But anyway, we can use the following commands to run a specific
> > boot flow in UEFI world:
> > => efidebug boot next 1(or whatever else); bootefi bootmgr
> 
> OK.
> 
> As you probably noticed I was trying to have bootflow connect directly
> to the code that does the booting so that 'CONFIG_CMDLINE' can be
> disabled (e.g. for security reasons) and the boot will still work.

# Maybe, it sounds kinda chicken and egg.

Even now, you can code this way :)

   efi_set_variable(u"BootNext", ..., u"Boot0001");
   do_efibootmgr();

That's it. My concern is what I mentioned above.

Just a note:
In the current distro_bootcmd, UEFI boot manager is also called
*every time* one of boot media in "boot_targets" is scanned/enumerated.
But it will make little sense because the current boot manager only
allows/requires users to specify both the boot device and the image file
path explicitly in a boot option, i.e. "BootXXXX" variable, and tries
all the boot options in "BootOrder" until it successfully launches
one of those images.

> >
> > > Chromium OS, Android, VBE) into pluggable
> > > drivers and number them as we do with partitions. For now the sequence
> > > number is used to determine both the partition number and the
> > > implementation to use.
> > >
> > > The same boot command is used as before ('bootflow scan -lb') so there is
> > > no change to that. It can boot both Fedora 31 and 34, for example.
> > >
> > > Signed-off-by: Simon Glass <sjg@chromium.org>
> > > ---
> > > See u-boot-dm/bmea for the tree containing this patch and the series
> > > that it relies on:
> > >
> > >   https://patchwork.ozlabs.org/project/uboot/list/?series=258654&state=*
> > >
> 
> [..]
> 
> > > +static int efiload_read_file(struct blk_desc *desc, int partnum,
> > > +                          struct bootflow *bflow)
> > > +{
> > > +     const struct udevice *media_dev;
> > > +     int size = bflow->size;
> > > +     char devnum_str[9];
> > > +     char dirname[200];
> > > +     loff_t bytes_read;
> > > +     char *last_slash;
> > > +     ulong addr;
> > > +     char *buf;
> > > +     int ret;
> > > +
> > > +     /* Sadly FS closes the file after fs_size() so we must redo this */
> > > +     ret = fs_set_blk_dev_with_part(desc, partnum);
> > > +     if (ret)
> > > +             return log_msg_ret("set", ret);
> > > +
> > > +     buf = malloc(size + 1);
> > > +     if (!buf)
> > > +             return log_msg_ret("buf", -ENOMEM);
> > > +     addr = map_to_sysmem(buf);
> > > +
> > > +     ret = fs_read(bflow->fname, addr, 0, 0, &bytes_read);
> > > +     if (ret) {
> > > +             free(buf);
> > > +             return log_msg_ret("read", ret);
> > > +     }
> > > +     if (size != bytes_read)
> > > +             return log_msg_ret("bread", -EINVAL);
> > > +     buf[size] = '\0';
> > > +     bflow->state = BOOTFLOWST_LOADED;
> > > +     bflow->buf = buf;
> > > +
> > > +     /*
> > > +      * This is a horrible hack to tell EFI about this boot device. Once we
> > > +      * unify EFI with the rest of U-Boot we can clean this up. The same hack
> > > +      * exists in multiple places, e.g. in the fs, tftp and load commands.
> >
> > Which part do you call a "horrible hack"? efi_set_bootdev()?
> > In fact, there are a couple of reason why we need to call this function:
> > 1. to remember a device to create a dummy device path for the loaded
> >    image later,
> > 2. to remember a size of loaded image which is used for sanity check and
> >    image authentication later,
> > 3. to avoid those parameters being remembered accidentally by "loading" dtb
> >    and/or other binaries than the image itself,
> >
> > I hope that (1) and (2) will be avoidable if we modify the current
> > implementation (and bootefi syntax), and then we won't need (3).
> 
> Yes thank you...I do understand why it is needed now, but it is
> basically due to the the  fat that EFI has its own driver structures.
> Once we stop those, it will go away.

Here, my point is, even under the current implementation, we will
be able to eliminate efi_set_bootdev() with some tweaks.

In other words, even you could integrate UEFI into the device model,
the issue (2), for example, would still remain unsolved.
In case of (2), we use the *size* information for sanity check against
image's header information as well as calculating a hash value for
UEFI secure boot when efi_load_image() is called. Even if the integration
is done, we need to pass on the size information to "bootefi <addr>"
command implicitly or explicitly.

> >
> > > +      * Once we can clean up the EFI code to make proper use of driver model,
> > > +      * this can go away.
> >
> > My point is, however, that this kind of cleanup is irrelevant to
> > whether we use driver model or not.
> 
> Are you sure? Without driver model how are you going to reference a
> udevice? If not that, how are you going to reference a device? The
> tables in the UEFI implementation were specifically added to avoid
> relying on driver model. It is a crying shame that I did not push back
> harder on this at the time.

I hope you will get my point in the previous comment now.

Thanks,
-Takahiro Akashi


> Regards,
> Simon